XSS Auditor bypass with trailing semicolon from injected style attribute value
Reported by
brandon....@gmail.com,
Apr 17 2018
|
|||||||||||
Issue descriptionVULNERABILITY DETAILS When setting an element attribute value programmatically using a query string parameter value, the XXS Auditor does not prevent any malicious script content. This is blocked by other browsers such as IE11. An example of a vulnerable element (on a ASPX page -using .NET) is an element as follows: <body style="overflow-y: <%=Request.QueryString["myvar"]%>;">. If the query string contains a quote the attribute is escaped and an element executing script is added. Although this html is constructed via .NET, other browsers such as IE appear to prevent this page from loading as it is directly using the malicious query string value. VERSION Chrome Version: Version 65.0.3325.181 (Official Build) (64-bit) Operating System: Windows 10 Enterprise, Version 1703 OS Build 15063.850 and/or Windows Server 2012 R2 Standard REPRODUCTION CASE In the attached aspx page one can see the following defined element: <body style="overflow-y: <%=Request.QueryString["myvar"]%>;"> Simply requesting the page with a query string with script in, such as: /Test2.aspx?myvar="onload="javascript:alert(1) will render the malicious html causing the script to fire and the alert to pop-up displaying "1". Constructing a similar request using an eval(1+1) that is url encoded such as: /Test2.aspx?myvar="onload="javascript:alert(eval(1%2B1)) will cause the value 2 to pop-up.
,
Apr 17 2018
Live POC: https://webdbg.com/test/xss/Test2.aspx?myvar="onload="javascript:alert(eval(1%2B1))
,
Apr 17 2018
A shortcoming of XSSAuditor::EraseDangerousAttributesIfInjected ?
,
Apr 17 2018
Strange, I would have thought this one to be caught, reflection is <body style="overflow-y: "onload="javascript:alert(eval(1+1));"> There isn't any need for trickery with the %2B or the eval, I think what's going on is the organic semicolon from the CSS page content in the onload above isn't present in the URL (adding a closing quote to the payload in the URL results in XSS detection).
,
Apr 17 2018
It's an interesting corner case, possibly worth handling.
,
Apr 17 2018
,
Apr 17 2018
CL at https://chromium-review.googlesource.com/c/chromium/src/+/1015602 , but the person who ought review it is out at the moment. I don't think there's a rush here.
,
Apr 17 2018
,
Apr 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5e13ca418277353beeb26e2187e992b41bd3f331 commit 5e13ca418277353beeb26e2187e992b41bd3f331 Author: Tom Sepez <tsepez@chromium.org> Date: Fri Apr 20 21:30:49 2018 XSSAuditor fails to match style attribute's semicolon Seems reasonable that a trailing semicolon may come from the page content itself, esp. since it is both an attribute separator in CSS and a statement separator in JavaScript, and subject to mis- interpretation when one is confused with the other. Bug: 833793 Change-Id: Ic935c77d01c53957426ed4b02f43ab92fc27d697 Reviewed-on: https://chromium-review.googlesource.com/1015602 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#552477} [add] https://crrev.com/5e13ca418277353beeb26e2187e992b41bd3f331/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-style-attr-value.pl [add] https://crrev.com/5e13ca418277353beeb26e2187e992b41bd3f331/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/style-attribute-expected.txt [add] https://crrev.com/5e13ca418277353beeb26e2187e992b41bd3f331/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/style-attribute.html [modify] https://crrev.com/5e13ca418277353beeb26e2187e992b41bd3f331/third_party/blink/renderer/core/html/parser/xss_auditor.cc
,
Apr 20 2018
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by elawrence@chromium.org
, Apr 17 2018Components: Blink>SecurityFeature>XSSAuditor
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows Type-Bug
Summary: XSS Auditor does not prevent injection into an element attribute value (was: Security: XSS Auditor does not prevent script content coming directly from a query string parameter for an element attribute value)